#Blue_Team_Techniques
Get-InjectedThreadEx - Detecting Thread Creation Trampolines
https://www.elastic.co/security-labs/get-injectedthreadex-detection-thread-creation-trampolines
]-> PowerShell detection script:
https://github.com/jdu2600/Get-InjectedThreadEx
Get-InjectedThreadEx - Detecting Thread Creation Trampolines
https://www.elastic.co/security-labs/get-injectedthreadex-detection-thread-creation-trampolines
]-> PowerShell detection script:
https://github.com/jdu2600/Get-InjectedThreadEx
www.elastic.co
Get-InjectedThreadEx – Detecting Thread Creation Trampolines — Elastic Security Labs
In this blog, we will demonstrate how to detect each of four classes of process trampolining and release an updated PowerShell detection script – Get-InjectedThreadEx
#Blue_Team_Techniques
1. PowerHuntShares - audit script designed in inventory, analyze, and report excessive privileges configured on AD domains
https://github.com/NetSPI/PowerHuntShares
2. Open-source YARA signatures
https://github.com/pracsec/YaraTools
1. PowerHuntShares - audit script designed in inventory, analyze, and report excessive privileges configured on AD domains
https://github.com/NetSPI/PowerHuntShares
2. Open-source YARA signatures
https://github.com/pracsec/YaraTools
GitHub
GitHub - NetSPI/PowerHuntShares: PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges…
PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains. - NetSPI/PowerHuntShares
#Threat_Research
#Blue_Team_Techniques
1. Threatest - CLI and Go framework for end-to-end testing threat detection rules
https://github.com/DataDog/threatest
2. Detect Tactics, Techniques & Combat Threats
https://github.com/rabobank-cdc/DeTTECT
#Blue_Team_Techniques
1. Threatest - CLI and Go framework for end-to-end testing threat detection rules
https://github.com/DataDog/threatest
2. Detect Tactics, Techniques & Combat Threats
https://github.com/rabobank-cdc/DeTTECT
GitHub
GitHub - DataDog/threatest: Threatest is a CLI and Go framework for end-to-end testing threat detection rules.
Threatest is a CLI and Go framework for end-to-end testing threat detection rules. - DataDog/threatest
#tools
#Blue_Team_Techniques
1. Simple Bash IOC Scanner
https://github.com/Neo23x0/Fenrir
2. Firewalls under the hood - UFW
https://blog.kanbach.org/post/firewalls-under-the-hood-ufw
#Blue_Team_Techniques
1. Simple Bash IOC Scanner
https://github.com/Neo23x0/Fenrir
2. Firewalls under the hood - UFW
https://blog.kanbach.org/post/firewalls-under-the-hood-ufw
GitHub
GitHub - Neo23x0/Fenrir: Simple Bash IOC Scanner
Simple Bash IOC Scanner. Contribute to Neo23x0/Fenrir development by creating an account on GitHub.
#Blue_Team_Techniques
Compromised Cloud Compute Credentials: Case Studies From the Wild
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials
Compromised Cloud Compute Credentials: Case Studies From the Wild
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials
#Blue_Team_Techniques
Incident Response Methodologies 2022
https://github.com/certsocietegenerale/IRM
// EN/ES/FR/RU Versions
Incident Response Methodologies 2022
https://github.com/certsocietegenerale/IRM
// EN/ES/FR/RU Versions
GitHub
GitHub - certsocietegenerale/IRM: Incident Response Methodologies 2022
Incident Response Methodologies 2022. Contribute to certsocietegenerale/IRM development by creating an account on GitHub.
#Blue_Team_Techniques
1. Linux kernel module generator for Hidden firewall that follows the rules in the external YAML file
https://github.com/CoolerVoid/HiddenWall
2. Guide to Use Sigma EVTX Checker
https://gist.github.com/Neo23x0/9eb505a00f7ba591645a6246fa6c5246
// Fast go-based scanner for Linux, Windows, macOS that applies Sigma rules and outputs the matches as JSON
1. Linux kernel module generator for Hidden firewall that follows the rules in the external YAML file
https://github.com/CoolerVoid/HiddenWall
2. Guide to Use Sigma EVTX Checker
https://gist.github.com/Neo23x0/9eb505a00f7ba591645a6246fa6c5246
// Fast go-based scanner for Linux, Windows, macOS that applies Sigma rules and outputs the matches as JSON
#tools
#Blue_Team_Techniques
1. Potential Cloud Account Takeover
https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection/blob/main/Credential%20Access/Potential%20Cloud%20Account%20Takeover.md
2. Kernel-mode WinDbg extension for Protected Process investigation
https://github.com/daem0nc0re/TangledWinExec/tree/main/ProtectedProcess#ppeditor
#Blue_Team_Techniques
1. Potential Cloud Account Takeover
https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection/blob/main/Credential%20Access/Potential%20Cloud%20Account%20Takeover.md
2. Kernel-mode WinDbg extension for Protected Process investigation
https://github.com/daem0nc0re/TangledWinExec/tree/main/ProtectedProcess#ppeditor
GitHub
Threat-Hunting-and-Detection/Credential Access/Potential Cloud Account Takeover.md at main · Cyb3r-Monk/Threat-Hunting-and-Detection
Repository for threat hunting and detection queries, etc. for Defender for Endpoint and Microsoft Sentinel in KQL(Kusto Query Language). - Threat-Hunting-and-Detection/Credential Access/Potential C...
#tools
#Blue_Team_Techniques
1. HTML Smuggling Detection - HTML Smuggling Detection
https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841
2. Log4Shell-Scanner-Exploit - Bash script to identify the Log4j CVE-2021-44228 vulnerability remotely
https://github.com/julian911015/Log4j-Scanner-Exploit
#Blue_Team_Techniques
1. HTML Smuggling Detection - HTML Smuggling Detection
https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841
2. Log4Shell-Scanner-Exploit - Bash script to identify the Log4j CVE-2021-44228 vulnerability remotely
https://github.com/julian911015/Log4j-Scanner-Exploit
Medium
HTML Smuggling Detection
Introduction
#tools
#Blue_Team_Techniques
1. DeTT&CT: Automate your detection coverage with dettectinator
https://blog.nviso.eu/2023/01/04/dettct-automate-your-detection-coverage-with-dettectinator
]-> Python library to DeTT&CT YAML files:
https://github.com/siriussecurity/dettectinator
2. Actively hunt for attacker infrastructure by filtering Shodan results with URLScan data
https://github.com/montysecurity/InfraHunter
#Blue_Team_Techniques
1. DeTT&CT: Automate your detection coverage with dettectinator
https://blog.nviso.eu/2023/01/04/dettct-automate-your-detection-coverage-with-dettectinator
]-> Python library to DeTT&CT YAML files:
https://github.com/siriussecurity/dettectinator
2. Actively hunt for attacker infrastructure by filtering Shodan results with URLScan data
https://github.com/montysecurity/InfraHunter
NVISO Labs
DeTT&CT: Automate your detection coverage with dettectinator
Introduction Last year, I published an article on mapping detection to the MITRE ATT&CK framework using DeTT&CT. In the article, we introduced DeTT&CT and explored its features and usag…
Forwarded from Deadly malware xp
#Blue_Team_Techniques
1. Recognizing the APT groups most likely responsible for a cybersecurity incident from the MITRE ATT&CK techniques in the incident report of the incident
https://gitlab.com/bontchev/whodunit
2. Open source tool to aid in SOC investigations
https://github.com/zdhenard42/SOC-Multitool
1. Recognizing the APT groups most likely responsible for a cybersecurity incident from the MITRE ATT&CK techniques in the incident report of the incident
https://gitlab.com/bontchev/whodunit
2. Open source tool to aid in SOC investigations
https://github.com/zdhenard42/SOC-Multitool
GitLab
Vesselin Bontchev / whodunit · GitLab
Recognizing the most likely APT groups responsible for an incident
Forwarded from Deadly malware xp
GitLab
Vesselin Bontchev / bpfdscan · GitLab
A BPFDoor scanner
Forwarded from Deadly malware xp
#tools
#Blue_Team_Techniques
1. Python script that will help in finding Path Traversal/RCE vulnerability in Apache 2.4.50 (CVE-2021-42013)
https://github.com/walnutsecurity/cve-2021-42013
2. Tool to check for dependency confusion vulnerabilities in multiple package management systems
https://github.com/visma-prodsec/confused
#Blue_Team_Techniques
1. Python script that will help in finding Path Traversal/RCE vulnerability in Apache 2.4.50 (CVE-2021-42013)
https://github.com/walnutsecurity/cve-2021-42013
2. Tool to check for dependency confusion vulnerabilities in multiple package management systems
https://github.com/visma-prodsec/confused
GitHub
GitHub - walnutsecurity/cve-2021-42013: cve-2021-42013.py is a python script that will help in finding Path Traversal or Remote…
cve-2021-42013.py is a python script that will help in finding Path Traversal or Remote Code Execution vulnerability in Apache 2.4.50 - walnutsecurity/cve-2021-42013
#tools
#Malware_analysis
#Blue_Team_Techniques
Automating Malware Analysis Operations (MAOps)
https://blogs.jpcert.or.jp/en/2023/01/cloud_malware_analysis.html
]-> Malware C2 Monitoring:
https://github.com/JPCERTCC/Lucky-Visitor-Scam-IoC
]-> Malware Hunting using Cloud:
https://github.com/JPCERTCC/CobaltStrike-Config
]-> YARA CI/CD system:
https://github.com/JPCERTCC/HUILoader-research
]-> Surface Analysis System on Cloud:
https://github.com/JPCERTCC/SurfaceAnalysis-on-Cloud
]-> Memory Forensic on Cloud:
https://github.com/JPCERTCC/MemoryForensic-on-Cloud
#Malware_analysis
#Blue_Team_Techniques
Automating Malware Analysis Operations (MAOps)
https://blogs.jpcert.or.jp/en/2023/01/cloud_malware_analysis.html
]-> Malware C2 Monitoring:
https://github.com/JPCERTCC/Lucky-Visitor-Scam-IoC
]-> Malware Hunting using Cloud:
https://github.com/JPCERTCC/CobaltStrike-Config
]-> YARA CI/CD system:
https://github.com/JPCERTCC/HUILoader-research
]-> Surface Analysis System on Cloud:
https://github.com/JPCERTCC/SurfaceAnalysis-on-Cloud
]-> Memory Forensic on Cloud:
https://github.com/JPCERTCC/MemoryForensic-on-Cloud
JPCERT/CC Eyes
Automating Malware Analysis Operations (MAOps) - JPCERT/CC Eyes
I believe that automating analysis is a challenge that all malware analysts are working on for more efficient daily incident investigations. Cloud-based technologies (CI/CD, serverless, IaC, etc.) are great solutions that can automate MAOps efficiently. In…
#tools
#Blue_Team_Techniques
1. Detecting Fake Events in Azure Sign-in Logs
https://www.inversecos.com/2023/01/detecting-fake-events-in-azure-sign-in.html
2. Crassus - Windows privilege escalation discovery tool
https://github.com/vullabs/Crassus
#Blue_Team_Techniques
1. Detecting Fake Events in Azure Sign-in Logs
https://www.inversecos.com/2023/01/detecting-fake-events-in-azure-sign-in.html
2. Crassus - Windows privilege escalation discovery tool
https://github.com/vullabs/Crassus
Inversecos
Detecting Fake Events in Azure Sign-in Logs
Forwarded from Deadly malware xp
#tools
#Blue_Team_Techniques
1. MIMEDefang - e-mail filtering tool that works with the Sendmail "Milter" library
https://github.com/The-McGrail-Foundation/MIMEDefang
2. Automated Penetration Testing Reporting System
https://github.com/Anof-cyber/APTRS
#Blue_Team_Techniques
1. MIMEDefang - e-mail filtering tool that works with the Sendmail "Milter" library
https://github.com/The-McGrail-Foundation/MIMEDefang
2. Automated Penetration Testing Reporting System
https://github.com/Anof-cyber/APTRS
GitHub
GitHub - The-McGrail-Foundation/MIMEDefang: MIMEDefang is an e-mail filtering tool that works with the Sendmail “Milter” library.…
MIMEDefang is an e-mail filtering tool that works with the Sendmail “Milter” library. MIMEDefang lets you express your filtering policies in Perl rather than C, making it quick and easy to filter ...
#Blue_Team_Techniques
1. YARA/Sigma rule to detect the exploitation of ManageEngine ServiceDesk CVE-2022-47966
https://github.com/Neo23x0/signature-base/blob/master/yara/expl_manageengine_jan23.yar
https://github.com/SigmaHQ/sigma/pull/3935/files
2. Investigate malicious Windows logon by visualizing and analyzing Windows event log
https://github.com/JPCERTCC/LogonTracer
1. YARA/Sigma rule to detect the exploitation of ManageEngine ServiceDesk CVE-2022-47966
https://github.com/Neo23x0/signature-base/blob/master/yara/expl_manageengine_jan23.yar
https://github.com/SigmaHQ/sigma/pull/3935/files
2. Investigate malicious Windows logon by visualizing and analyzing Windows event log
https://github.com/JPCERTCC/LogonTracer